Overview on S-Box Design Principles

Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302

What is an S-Box?
S-Boxes are Boolean mappings from {0,1}m{0,1}n
m x n mappings

Thus there are n component functions each being a map from m bits to 1 bit
in other words, each component function is a Boolean function in m Boolean variables

D. Mukhopadhyay Crypto & Network Security IIT Kharagpur

Boolean Function
A Boolean function is a mapping from {0,1}m{0,1}
A Boolean function on n-inputs can be represented in minimal sum (XOR +) of products (AND .) form:
f(x1,,xn)=a0+a1. x1 ++an. xn+ a1,2.x1.x2++ an-1,n.xn-1.xn+ +a1,2,..,n x1.x2 ...xn

The ANF form is canonical If the and terms have all zero co-efficients we have an affine function If the constant term is further 0, we have a linear function

Boolean Function
A Boolean function is a mapping from {0,1}m{0,1}
f : n {0,1} be a Boolean Function. Binary sequence ( f ( 0 ), f (1 ),..., f ( 2n 1 )) is called the Truth Table of f

Sequence of a Boolean Function:

{(1) f (0 ) , (1) f (1 ) ,..., (1)
f (
2n 1

} is called sequence of f

D. Mukhopadhyay Crypto & Network Security IIT Kharagpur

Balanced Function
A Boolean function is said to be balanced if its truth table has equal number of ones and zeros. The Hamming weight of a binary sequence is the number of ones

Scalar Product of Sequences

Consider f and g as two Boolean functions. Consider, be the sequence of f and be the sequence of g. Define, < , >= (# no of cases when f=g)-(#no of cases when f g)

D. Mukhopadhyay Crypto & Network Security IIT Kharagpur

Non-linearity
The non-linearity of a Boolean function can be defined as the distance between the function and the set of all affine functions.
N
f

= m in g n d ( f , g )

w h e re A n is th e s e t o f a ll a ffin e fu n c tio n s o v e r n

d ( f , g ) = 2n 1

1 < , > 2

1 N f = 2n 1 max i =0,1,...,2n1 {| , li |}, 2 where li is the sequence of a linear function in x

A Compact Representation of all the linear functions

Hadamard Matrix: Any rxr matrix with elements in {-1,1} if HHT=rIr, where Ir is the identity matrix of dimension rxr. Walsh Hadamard Matrix:
H H 0 = 1, H 1 = n 1 H n 1 H n 1 , n = 1, 2,... H n 1

Each row of Hn is the sequence of a linear function in x belonging to {0,1}n Each row, li is the sequence of the Boolean function,
g ( x) =< i , x >, i is the binary representation of i Note that i and x are not sequences, but they are binary tuples of length n

D. Mukhopadhyay Crypto & Network Security IIT Kharagpur

Effect of Input Transformation on balanced-ness and Non-linearity

If a Boolean function, f(x) is balanced, then so is g=f(xB ^ A), A is an n-bit vector and B is an nxn 0-1 invertible matrix Non-linearity of f and g are same.

Strict Avalanche Criteria

Informally, if one bit input is changed in an SBox, then half of the output bits should be changed For a function, f to satisfy SAC the following condition is satisfied:

f ( x ) f ( x ) is balanced, where wt( )=1

Higher order SAC, when more than one input bits change Both the SAC and the higher order SAC together make Propagation Criteria (PC)

D. Mukhopadhyay Crypto & Network Security IIT Kharagpur

How to make a Boolean Function satisfy SAC?

Consider a Boolean function, f(x) Consider a non-singular {0,1} matrix of dimension nxn. If for each row of the matrix A if:
f ( x) f ( x ) is balanced, is a row of the matrix A

then g(x)=f(xA) satisfies the SAC.

Example
f(x)=x1x2 ^ x3 does not satisfy SAC? Why? Consider =(001) f(x)^f(x^e1) is balanced, e1=(100) f(x)^f(x^e2) is balanced, e2=(010) f(x)^f(x^e3) is balanced, e3=(111)
1 0 0 A= 0 1 0 1 1 1

Check that g(x)=f(xA) satisfies SAC

D. Mukhopadhyay Crypto & Network Security IIT Kharagpur

Bent Functions
Non-linearity of Boolean functions have an upper bound
N f 2 n 1 2 2
n 1

Functions which achieve this are called Bent functions They satisfy PC for all But they are always unbalanced Bent functions exist for even values of n

Example
f(x)=x1x2 ^ x3x4 is a Bent function in 4 variables If f is a Bent function
so is f ^ (affine function) f(xA ^ B) for a non-singular binary matrix A is also Bent

Bent functions are not balanced. Number of zeros, is 2n-12n/2-1

D. Mukhopadhyay Crypto & Network Security IIT Kharagpur

Creating Balanced Non-linear function

Take 2n-k, k-variable linear function, where k>n/2 Concatenate the truth-tables Thus, we obtain a nxk mapping which is non-linear
Nf2n-1-2k-1

Balanced Can be made to satisfy SAC.

Is the S-Box good against LC and DC?

Not only the component functions are good:
high non-linearity satisfy PC etc.

but their non-zero linear combinations also have to satisfy.

Challenging problem

D. Mukhopadhyay Crypto & Network Security IIT Kharagpur

Design of S-Box is even more complex

Good S-Boxes from the cryptographic point of view when put in hardware are found to leak information, like power consumption etc They thus lead to attacks called Side Channel Attacks, which can break ciphers in minutesafter all the hard-work Then there are Algebraic Attacks So, what to do? Open Research Problem(s)

Criteria of Good S-Box

Balanced Component functions Non-linearity of Component functions high Non-zero linear combinations of Component functions balanced and highly non-linear Satisfies SAC High Algebraic degree

D. Mukhopadhyay Crypto & Network Security IIT Kharagpur

Exercise
Enumerate 8 distinct linear functions in 5 variables, x1, x2, x3, x4, x5 Concatenate their Truth-tables to obtain an 8 input, 5 output function. Store the resultant mapping as a 8x5 SBox. What is the non-linearity of your SBox? Does is satisfy SAC? If not, modify the function to do so.

Further Reading
J. Seberry, Zhang, Zhang, Cryptographic Boolean Functions via Group Hadamard Matrices, AJC Journal of Combinatorics, vol 10, 1994 K. Nyberg, Differentially Uniform Mappings for Cryptography, Eurocrypt 1993 K. Nyberg, Perfect Non-linear SBoxes, Eurocrypt 1991

D. Mukhopadhyay Crypto & Network Security IIT Kharagpur

10

Next Days Topic

Modes of operation of Block Ciphers

D. Mukhopadhyay Crypto & Network Security IIT Kharagpur

11